What is a domain controller?

Definition of a domain controller

A domain controller (DC) is a central server in an organization's network. It stores information about user accounts, enforces security policies, and authenticates users accessing an organization's network resources.

A logical grouping of users, computers, and other relevant resources becomes an Active Directory (AD) domain. Based on the structure and hierarchy followed, an organization can have multiple domains and require multiple DCs to manage them.

DCs are used to:

• Create, manage, and modify an AD domain and its objects, such as users, groups, security policies, etc.
• Store and manage information in NTDS.DIT, the central database for an AD domain.
• Authorize users to access network resources such as file servers, printers, application servers, etc.

Difference between DCs and member servers

As discussed earlier, DCs are servers that perform authentication and authorization. However, a server can be added to a domain without being promoted to a DC. These servers are called member servers and are added to a domain to provide specific services such as file sharing, web-hosting, application hosting, and more.

Roles of a domain controller

To efficiently use multiple DCs, AD allows organizations to assign critical roles to them. They are called Flexible Single Master Operations (FSMO) roles. This ensures critical changes are consistent across an AD environment.

Below are the 5 FSMO roles that can be assigned to a DC:

• Schema Master: DCs assigned with this role can be used to modify the schema—the blueprint of an AD environment—and enforce the modifications across the organization. This role can be assigned to only one DC in an AD environment.
• Domain Naming Master: An organization can have multiple domains, and to add or remove these domains, administrators will need to use a DC with the Domain Naming master role. Similar to Schema Master, only one DC can be assigned this role.
• RID Master: RIDs (Relevant Identifiers) are unique IDs for each AD object created. DCs generate it from an RID pool and assign it to every AD object. The RID Master in a domain assigns RID pools to ensure no two DCs can use same RIDs.
• PDC Emulator: Every domain has a primary domain controller (PDC). This DC is responsible for time synchronization, ensuring changes are updated consistently across all other DCs, and resolving compatibility issues for legacy systems.
• Infrastructure Master: This role is useful when cross-domain object references exist. DCs assigned with this role is responsible for handling such references as well as identifying and removing stale accounts.

Why should domain controllers be monitored?

DCs are the backbone of an AD environment. By monitoring DCs, you can:

• Track user activities such as logons and logoffs, file modifications, remote desktop activity, and so on.
• Monitor administrative actions such as changes to accounts, configurations, etc.
• Stay compliant with regulations such as the PCI DSS, NIS 2, the GDPR, and more.

Since DCs hold sensitive user information and enforce security policies, they are often prime targets for cyberattacks. Monitoring user activities and identifying anomalous actions helps you secure your DCs and in turn protect your organizational network.

How ADAudit Plus helps in monitoring domain controllers

ManageEngine ADAudit Plus provides a single pane of reporting for all AD changes. It provides real-time, UBA-driven insights to detect suspicious and risky changes. With ADAudit Plus, you can gain full visibility into object modifications, logons, account lockouts, permission changes, file activity, and more.

Once your DCs are configured, our tool helps you:

• Monitor changes made to your AD objects with real-time change monitoring and notify about unwarranted changes.
• Monitor successful and failed logon attempts to thwart potential threats with user logon tracking.
• Investigate and troubleshoot repeatedly locked-out user accounts with the account lockout examiner.
• Examine important file events—such as modifications or deletions—in real time using the file access tracking tool.
• Inspect changes made to Group Policy configurations with the GPO change auditor.
• Adequately satisfy the regulatory requirements of the GDPR and HIPAA with compliance audit reports.
• Detect over 25+ common AD attacks—such as Kerberoasting, brute-force attacks, etc.—using an attack surface analyzer.
• Identify signs of insider activity across your AD environment using user behavior analytics.

Try all these features and more for free in a 30-day trial. Alternatively, get on a call with our technical experts to see how ADAudit Plus can help you.